Exchange ActiveSync is great for "push" email synchronization with mobile devices, but as a mobile device management platform it has serious architectural and administrative limitations that leave you exposed to significant security risks. To illustrate the point, let's examine how many company’s enable access to Exchange from mobile devices.

What your mobile users want is access to their corporate email. To accomplish this an ActiveSync  "partnership" must be established between the user's mobile device and their Exchange mailbox. Many companies do this by enabling ActiveSync on their server and allowing each mobile user to establish this partnership from their mobile device. This satisfies the mobile user because they will have immediate access to their email and calendar. However, your IT team may receive no indications as these partnerships are established, and may have no knowledge of which mailboxes have partnerships, or what devices are partnered with each mailbox.

Worse still, unless you are using the ABQ list functionality in Exchange 2010, the Exchange Management Console provides no easy way to learn this information. Your options are to individually inspect every single mailbox (not practical or scalable) or start learning PowerShell. For these reasons many IT organizations don’t have the capacity or skills required to keep up with it. When we ask customers and prospects about their ActiveSync partnerships we are continually surprised by how different their perception is from reality. Often we discover there are significantly more mobile devices partnered to Exchange mailboxes than the IT team believed existed. So the reality is that there are a significant number of unmanaged and unsecured devices with access to corporate data, and these are the devices most likely to be lost or stolen. That will keep a CSO awake at night.